What you need to know
about PCI-DSS
Jane Drews
Chief Information Security Officer
Information Security & Policy Office
[email protected], 5-5537
Topics
1.
2.
3.
4.
PCI-DSS Basics for University of Iowa merchants
Point to Point Encryption (P2PE)
EMV Credit Cards
Isolated “PCI Environment” for University CC
operations
PCI-DSS: Basics
1. UI policy requires merchants to comply with PCI-DSS, no exceptions
2. Reducing PCI-DSS “scope” is our strategy to reduce UI compliance
requirements, and minimize the institution’s risk of a card data
breach
3. Scope is about communication between devices
• Any IT device or system involved in processing card payments, or that shares
the infrastructure that supports payments, is “in scope” and must comply
• Encryption has been touted by some vendors as a way to avoid the rigor of
compliance, however that has not been demonstrated, and is not UI policy
4. It is not the card brands, but the acquiring bank’s decision on how
we must validate our compliance
Point to Point Encryption (P2PE):
• P2PE Standard = technology and processes to protect account data
from the point of interaction (card reader) to the point of initial
decryption (transaction processor)
• Card reader establishes encrypted “tunnel” through which PAN is sent
to the processor. Authorization code is returned, and sent to the
point of sale cash register or the server
• PAN is never seen by the cash register or the server
• The merchant is never allowed to perform encryption key
management under the P2PE standard
Point to Point Encryption (P2PE):
• The standard for point-to-point encryption solutions does not
supersede the PCI Data Security Standard, PCI PIN Security
Requirements, or any other PCI Standards
• The P2PE standards are not a recommendation, and do not obligate
merchants, service providers, or financial institutions to purchase or
deploy such solutions
• P2PE capable devices will be the target for attacks, as the PAN could
be intercepted by malware before encryption occurs
• Implementing P2PE doesn’t eliminate need to comply with PCI-DSS
EMV Credit Cards
• Referred to as “chip and pin” or “chip and signature” cards
• Smart cards that store data on a chip rather than on a
magnetic stripe, although most cards currently use both for
backward compatibility, transition purposes
• Can be contact cards (reader) or contactless cards (RFID)
• Banks can transfer liability/costs for face-to-face (card present)
fraud to merchants that don’t support EMV cards (Oct 2015)
• Supporting EMV cards does not eliminate the need to comply
with PCI-DSS
UI’s Isolated PCI Environment:
1. All peripherals migrate to PCI network (registers, readers, etc):
• Any device involved in transaction processing that connects to UI network
2. All servers migrate to ITF data center:
A. Level III (high sensitivity) data storage/handling servers, critical operations
servers, and servers with peripherals move to High Security Zone
• Secure configuration required, very restricted communications, full logging, monitored
system and data access, etc.
B. Non-critical web servers that don’t pass CC information move to Medium
Zone, Co-Managed Zone, or Co-Location Zone
• Secure configuration required, no communication with peripherals, full logging, etc.
3. Goal is to simplify compliance responsibilities
ITF Data Center:
All Servers
High Security Zone: Critical app
servers and L3 databases that
communicate with CC peripherals.
PCI Network:
All CC Peripherals
Medium, Co-Lo, other zones: Web
servers that transfer to payment
processing, no CC peripherals.
$
Bank